About two years ago, Thomson Reuters began tackling a problematic phenomenon that was emerging for enterprises worldwide: Employees bringing their smartphones and other computing gadgets into the workplace. While companies can lock down corporate-owned mobile devices with policies and established technologies such as BlackBerry Enterprise Server, these personally owned systems require a whole new way of thinking.
“We knew data would be on devices that we didn’t control and wanted something that was Blackberry-like to manage those devices,” says Tim Mathias, senior director of IT security at Thomson Reuters. “The problem was we didn’t own the device, so we started looking at the technology, policies and standards within the company and challenged ourselves to come up with some policies that would protect the company but allow individuals to use a device of their choice.”
The New York-based information giant – which has 55,000 employees in more than 100 countries worldwide – is taking a multi-level approach to deal with the growing issue. In addition to developing policies, it’s looking into mobile device management technologies, and working with a technology partner to understand mobile application security risks.
The deluge of iPhones, iPads and Android devices into the enterprise is forcing a major shift away from the standard model of corporate-owned, corporate-controlled computer systems. The powerful and portable computing systems give employees anytime anywhere access to corporate email for increased productivity. At the same time, this consumerization of IT has security managers on edge. These personal mobile devices are easy to lose – and for thieves to steal -- along with all the sensitive enterprise data on them. The threats of mobile malware and malicious mobile applications also loom.
Experts say the new post-PC era requires companies to shift their security thinking, develop new policies and implement technologies that maintain enterprise security without degrading the experience that users value in these devices. Without a doubt, IT consumerization is a trend organizations can’t afford to ignore.
“You’re sticking your head in the sand if you think you’re not going to allow these things,” says Philip Cox, director of security and compliance for consulting firm SystemExperts. “Either you take control of this or it’s going to control you.”
A GROWING TIDE
It’s a scenario many IT managers are probably familiar with: A C-level executive enamored with his or her iPhone or iPad wants enterprise support for the device. The trend really took hold last year, says Ojas Rege, vice president of products and marketing at mobile device management company MobileIron. “That opened the door to this notion of devices coming into the enterprise outside of IT and IT needing to support them,” he says.
Kurt Roemer, chief security strategist at Citrix Systems, says he was flooded with calls from worried enterprise security managers after the iPad came out. They wanted to know how to tell their executives the company couldn’t use the device, but “executives were saying, ‘If you don’t put this on the network, I’ll find someone who will,’” he recalls.
“More and more employees want to bring their personal devices into the enterprise and many organizations aren’t ready, but they’re being forced to consider it,” says Nicholas Arvanitis, a principal security consultant at Dimension Data Americas, an IT services and solutions provider.
Companies are caving into the demand, it appears. According to a Forrester Research survey of about 1,000 North American and European enterprises and SMBs from the first quarter of this year, about half of the firms surveyed support employee-owned mobile phones and smartphones.
In describing how companies are dealing with the influx of personal phones and tablets, Andrew Jaquith, chief technology officer at Perimeter E-Security, compared what he saw six months ago when he was an analyst at Forrester to the famous five stages of grief: denial, anger, bargaining, depression and acceptance.
“I would say about half of companies are in the bargaining phase. They haven’t fully accepted it, but they know they need to do something and they’re starting to figure out what their policies need to look like and what their approach will be,” he says.
Consumer mobile devices represent both a curse and an opportunity, Jaquith says. “They’re a curse in the sense that you’re making IT security rethink its entire approach to mobile devices,” he says. “The opportunity is very clear: These are devices that give employees more satisfaction and high productivity at their jobs. As we move into this post-PC era, enterprises are going to be forced to accommodate these devices one way or another.”
Supporting employee-owned devices is important to Thomson Reuters for recruiting new employees, Mathias says. In the two years that the company has been working on its strategy for personal mobile devices in the enterprise, the technology options have improved and the company’s understanding of the risks posed by the devices has grown, he says.
“Simply being able to plug an Android phone into any workstation of my choosing and use the storage on that phone as a way to take files out of the office – now it’s a gigantic USB fob,” he says.
Rules of the Road
Enterprises that want to allow employees to use their personal smartphones and other devices in the workplace need to include some baseline items in their mobile policy, according to Chenxi Wang, a vice president and principal researcher at Forrester Research. They include:
--IT reserves the right to manage any mobile device with access to corporate data, including those that are personally owned.
--The organization reserves the right to monitor the activity of personal mobile devices when they are in the company network.
--Employees should follow Internet acceptable use policies while in the corporate environment.
--The company isn’t responsible for damage to personal content due to corporate management functions imposed on the device.
--The organization can disable any mobile device access to corporate resources at any time deemed necessary.
--Users must inform IT if the device is lost or stolen.
More specific policies a company might want to consider include enabling password-based entry and remote locking features, and reserving the right to remotely wipe the content on the device in the event of theft or loss, according to Wang.
Data loss and unauthorized access are the top enterprise security risks posed by personal mobile devices, says Matthew Todd, CSO and vice president of risk and technical operations at Financial Engines, a Palo Alto, Calif.-based independent investment advisor.
“Portable devices like smartphones and iPads are really just modern takes on the laptop – smaller, more fun, but just as filled with information as that old ThinkPad,” he says. “Portable devices can have contact lists, emails, confidential attachments, or even confidential images, audio or video. The threat takes on a whole new angle when smart devices are integrated with the corporate environment and your smartpad or smartphone can access internal systems or websites.”
Compounding the risk is the fact that unlike PCs, these small portable devices are easy to leave behind in cabs and restaurants and for thieves to snatch.
Mobile malware is another risk, but one that’s just emerging. In March, Google pulled nearly two dozen free applications from its Android Market after they were discovered to contain hidden malware. Called DroidDream, the malware tried to gain root access to the smartphone to view sensitive data and download more malware.
DroidDream “illustrated how real the malware threat is for Android,” Chenxi Wang, a vice president and principal researcher at Forrester Research, wrote in a recent report. “Personal devices that have the freedom to download any apps are a ripe source for infection. …Defending against mobile malware will be an increasingly important IT priority as Android overtakes iOS as the top selling mobile platform.”
Chris Wysopal, co-founder and chief technology officer at application security company Veracode, says the iPhone has been fairly unscathed by malware, “which goes to show that the walled garden, or whitelisting, of only known apps on the device is adding some security.” In comparison with the higher scrutiny in Apple’s App Store, applications in the Android Market lack security vetting, he says. Veracode earlier this year launched a mobile application verification service.
“One of the biggest risks is applications installed by users without being vetted,” says Dimension Data’s Arvanitis.
“I believe mobile devices will be the next huge threat vector,” says Ryan Laus, network manager at Central Michigan University. “We’re still in a learning phase, but I think they really will be a huge target for attacks down the road.”
PORTABLE DEVICE POLICIES
While Thomson Reuters wants to implement strong security on employee-owned devices, the company knows it needs policies in order to do that.
“We want to be able to reach out and kill a phone that’s been stolen or lost, much like we can with the BlackBerry today, but we as a company want to have the right to do that and the technology to be able to do that for a device we don’t own. That’s where the policies come in. We need an agreement with individuals before we can start managing a device like that,” Mathias says.
Jaquith says companies need to create what he calls a “mobile access and security covenant” with their employees. “You have an agreement between employees and the employer, and that’s, ‘You can bring your gear to work and use it to get email but in exchange, I’m going to ask you to do some things.’” That includes allowing security policies to be implemented on the device that enforces corporate passcode settings, and agreeing to give the device to corporate managers in the event of an investigation where they need to perform forensics on the device or comply with a subpoena.
Arvanitis says corporate policies can list what mobile platforms will be supported and include different rules depending on an employee’s role. “Those use cases need to be understood, along with the flows of data and security of that data,” he says. “Only once you’ve got that security architecture in place at the business level can you put in technical controls.”
In her report, “Managing the Security and Risk Challenges of Personal Devices in the Workplace,” Forrester’s Wang outlines baseline items organizations should include in their mobile policy (see “Rules of the Road”) . Security teams need to work with legal and privacy departments on the rules, and also need to consider some unique legal and privacy challenges posed by personally owned devices in the office, she advises.
For example, she notes, an organization could be liable if an employee misuses copyrighted material on their personal device. Also, imposing corporate controls on personal smartphones and other devices could conflict with privacy laws; some countries don’t permit a company to audit the network security of personal devices, enforce acceptable usage policies or impose an endpoint agent, Wang says in her report.
“For a global organization, where your operations must comply with multiple, different privacy regulations, knowing how to monitor and control personal devices on your network can indeed be a challenge,” she says. “It may also mean you must develop different policies for different regions.”
When it comes to enforcing enterprise security like passwords and lockout on a mobile device, the BlackBerry platform is the run-away favorite, experts say. Mathias calls the BlackBerry Enterprise Server the “gold standard.”
“The BlackBerry was built from the ground up to meet those requirements. It’s an enterprise device that found its way into the consumer world,” Veracode’s Wysopal says. “Other devices are coming from the consumer world into the enterprise and lack these features.”
Essex Agricultural and Technical High School – “Essex Aggie” -- wanted to be able to allow students and faculty to bring their own personal computing device to campus, whether a laptop, iPhone or iPad. The question was how to do it securely.
The public vocational high school in Danvers, Mass., which counts about 485 students and 55 faculty members, decided to deploy network access control technology (NAC) from Bradford Networks. Campus Manager automates registration of users, scans for operating system and antivirus updates, and monitors access and network usage.
“It’s nice to know that security holes in the operating system are plugged,” says Kyle Jones, technology manager at Essex Aggie. “Bradford is checking to make sure the latest versions of the Windows service packs and Apple updates have been applied.”
One way organizations can gain a basic level of control over all the iPhones, Androids and other devices employees are using at work is through Exchange ActiveSync, experts say. “That’s going to be your choke point,” says Jaquith. Companies can use it to enforce password policies and device lock if the wrong passcode is entered too many times, he says.
However, companies can run into scalability problems with Exchange ActiveSync when trying to manage personal devices, Wang notes. A mobile device management system “can impose whatever policies you’ve established for these devices, monitor their operations, and give you a platform to impose controls to the extent it’s appropriate,” she says.
Mobile device management systems will become even more important as “mobile computing starts moving beyond just email to mobile applications,” Jaquith says.
According to Gartner, the mobile device management software market is quickly evolving with more than 60 vendors and little consistency. Most vendors offer on-premise or Software as a Service based tools and offer a range of capabilities, including inventory management, software distribution and security, such as enforced password, device wipe and remote lock, Gartner analysts wrote in a recent report.
They also advised enterprises that some device platforms will limit manageability due to their design; companies should expect mobile device management systems to support each platform the same way. Also, Android support is still immature, according to Gartner, which predicts it will be at least another year before Android is well supported by mobile device management vendors.
Thomson Reuters is taking another look at mobile device management vendors now that mobile device operating systems are more mature and have better support capabilities, Mathias says. The company is also looking at ways to improve its ability to link devices to its Exchange environment, and protecting its internal environment by working to deploy a mobile VPN capability that will integrate with the firm’s digital certificate deployment so digital certificates can be deployed to mobile devices for secure VPN access.
Research in Motion (RIM) recently announced plans to release a multi-platform version of its BlackBerry Enterprise Server later this year, promising enterprises another way to manage the consumerization of IT trend. RIM is acquiring Ubitexx to develop the product, which it says will incorporate secure device management for Android and iOS devices. RIM notes that companies can “expect a range of security, manageability and controls depending on different device platform capabilities.”
A technique that some companies are using to balance mobility and security is to leverage Citrix desktop virtualization technology, experts say. That way, no corporate data is stored on the device. The Citrix Receiver, offered for a variety of mobile devices including iPhone and iPad, works as a “window to application and desktop virtualization,” Citrix’s Roemer says.
Understanding the risks in mobile applications, specifically Android and iOS phones, is another area that Thomson Reuters is tackling by working with a company that scans the applications to spot problems.
It’s beginning to discuss whether it wants to have a whitelist of applications for mobile phones, but whitelisting could be problematic because it makes the devices less personal, Mathias says. Understanding what applications are out there, how mobile employees are using them, and how the applications can be misused is new territory. “We’re just beginning to talk about how we keep up with this,” he says.
Marcia Savage is editor of Information Security. Send comments on this article to firstname.lastname@example.org.